diff --git a/common/src/main/java/com/jeesite/common/web/http/ServletUtils.java b/common/src/main/java/com/jeesite/common/web/http/ServletUtils.java
index 158a6d0d..8f23892a 100644
--- a/common/src/main/java/com/jeesite/common/web/http/ServletUtils.java
+++ b/common/src/main/java/com/jeesite/common/web/http/ServletUtils.java
@@ -110,7 +110,8 @@ public class ServletUtils {
 		}
 		
 		String uri = request.getRequestURI();
-		if (StringUtils.inStringIgnoreCase(uri, ".json", ".xml")){
+		if (StringUtils.endsWithIgnoreCase(uri, ".json")
+				|| StringUtils.endsWithIgnoreCase(uri, ".xml")){
 			return true;
 		}
 		
diff --git a/modules/core/src/main/java/com/jeesite/common/shiro/filter/PermissionsAuthorizationFilter.java b/modules/core/src/main/java/com/jeesite/common/shiro/filter/PermissionsAuthorizationFilter.java
index 3ba516a2..27f6a26c 100644
--- a/modules/core/src/main/java/com/jeesite/common/shiro/filter/PermissionsAuthorizationFilter.java
+++ b/modules/core/src/main/java/com/jeesite/common/shiro/filter/PermissionsAuthorizationFilter.java
@@ -73,6 +73,14 @@ public class PermissionsAuthorizationFilter extends org.apache.shiro.web.filter.
 		}
 		if (ServletUtils.isAjaxRequest(req)) {
 			try {
+				String uri = req.getRequestURI();
+				if (StringUtils.endsWithIgnoreCase(uri, ".json")
+						&& !StringUtils.endsWithIgnoreCase(loginUrl, ".json")){
+					loginUrl += ".json";
+				}else if (StringUtils.endsWithIgnoreCase(uri, ".xml")
+						&& !StringUtils.endsWithIgnoreCase(loginUrl, ".xml")){
+					loginUrl += ".xml";
+				}
 				request.getRequestDispatcher(loginUrl).forward(
 						new GetHttpServletRequestWrapper(request), response);
 			} catch (ServletException e) {